From 4ec91b46ede3c73487383611e7b96d4a57a9fe21 Mon Sep 17 00:00:00 2001
From: Mondo Diaz <armando.m.diaz@boeing.com>
Date: Tue, 13 Jan 2026 22:40:51 +0000
Subject: [PATCH] Fix security scan issues and harden docker-compose

Hadolint fixes:
- Use printf instead of echo for escape sequences
- Add hadolint ignore for apt pin version (DL3008)

KICS fixes (docker-compose):
- Add security_opt: no-new-privileges to all services
- Add mem_limit and cpus to prevent resource exhaustion
- Add healthcheck to orchard-server in docker-compose.yml

Gitleaks:
- Add .gitleaksignore for false positive (s3_key attribute name)
- Remove allow_failure from secrets job (now blocking)

Also:
- Remove || echo fallback from python_tests (tests should fail pipeline)
---
 .gitlab-ci.yml           |  5 ++---
 .gitleaksignore          |  6 ++++++
 Dockerfile               |  3 ++-
 docker-compose.local.yml | 20 ++++++++++++++++++++
 docker-compose.yml       | 26 ++++++++++++++++++++++++++
 5 files changed, 56 insertions(+), 4 deletions(-)
 create mode 100644 .gitleaksignore

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index bfb2e55..bac3b31 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -13,8 +13,7 @@ kics:
 hadolint:
   allow_failure: true
 
-secrets:
-  allow_failure: true
+# secrets job is a blocking check - real credential leaks should fail the pipeline
 
 # Run Python tests
 python_tests:
@@ -25,7 +24,7 @@ python_tests:
     - pip install pytest pytest-asyncio httpx
   script:
     - cd backend
-    - python -m pytest -v || echo "No tests yet"
+    - python -m pytest -v
 
 # Deploy to stage (main branch)
 deploy_stage:
diff --git a/.gitleaksignore b/.gitleaksignore
new file mode 100644
index 0000000..5bb8fdb
--- /dev/null
+++ b/.gitleaksignore
@@ -0,0 +1,6 @@
+# Gitleaks ignore file
+# https://github.com/gitleaks/gitleaks#gitleaksignore
+
+# False positive: s3_key is an attribute name, not a secret
+35fda65d381acc5ab59bc592ee3013f75906c197:backend/tests/unit/test_storage.py:generic-api-key:381
+08dce6cbb836b687002751fed4159bfc2da61f8b:backend/tests/unit/test_storage.py:generic-api-key:381
diff --git a/Dockerfile b/Dockerfile
index 077a5b4..15eb090 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -22,9 +22,10 @@ RUN npm run build
 FROM containers.global.bsf.tools/python:3.12-slim
 
 # Disable proxy cache
-RUN echo 'Acquire::http::Pipeline-Depth 0;\nAcquire::http::No-Cache true;\nAcquire::BrokenProxy true;\n' > /etc/apt/apt.conf.d/99fixbadproxy
+RUN printf 'Acquire::http::Pipeline-Depth 0;\nAcquire::http::No-Cache true;\nAcquire::BrokenProxy true;\n' > /etc/apt/apt.conf.d/99fixbadproxy
 
 # Install system dependencies
+# hadolint ignore=DL3008
 RUN apt-get update && apt-get install -y --no-install-recommends \
     curl \
     && rm -rf /var/lib/apt/lists/*
diff --git a/docker-compose.local.yml b/docker-compose.local.yml
index 543a943..aa5b113 100644
--- a/docker-compose.local.yml
+++ b/docker-compose.local.yml
@@ -42,6 +42,10 @@ services:
       timeout: 3s
       start_period: 10s
       retries: 3
+    security_opt:
+      - no-new-privileges:true
+    mem_limit: 1g
+    cpus: 1.0
 
   postgres:
     image: postgres:16-alpine
@@ -62,6 +66,10 @@ services:
     networks:
       - orchard-network
     restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    mem_limit: 512m
+    cpus: 0.5
 
   minio:
     image: minio/minio:latest
@@ -82,6 +90,10 @@ services:
     networks:
       - orchard-network
     restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    mem_limit: 512m
+    cpus: 0.5
 
   minio-init:
     image: minio/mc:latest
@@ -97,6 +109,10 @@ services:
       "
     networks:
       - orchard-network
+    security_opt:
+      - no-new-privileges:true
+    mem_limit: 128m
+    cpus: 0.25
 
   redis:
     image: redis:7-alpine
@@ -113,6 +129,10 @@ services:
     networks:
       - orchard-network
     restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    mem_limit: 256m
+    cpus: 0.25
 
 volumes:
   postgres-data-local:
diff --git a/docker-compose.yml b/docker-compose.yml
index 4e7d1c3..3f1455b 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -34,6 +34,16 @@ services:
     networks:
       - orchard-network
     restart: unless-stopped
+    healthcheck:
+      test: ["CMD", "curl", "-f", "http://localhost:8080/health"]
+      interval: 30s
+      timeout: 3s
+      start_period: 10s
+      retries: 3
+    security_opt:
+      - no-new-privileges:true
+    mem_limit: 1g
+    cpus: 1.0
 
   postgres:
     image: containers.global.bsf.tools/postgres:16-alpine
@@ -54,6 +64,10 @@ services:
     networks:
       - orchard-network
     restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    mem_limit: 512m
+    cpus: 0.5
 
   minio:
     image: containers.global.bsf.tools/minio/minio:latest
@@ -74,6 +88,10 @@ services:
     networks:
       - orchard-network
     restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    mem_limit: 512m
+    cpus: 0.5
 
   minio-init:
     image: containers.global.bsf.tools/minio/mc:latest
@@ -89,6 +107,10 @@ services:
       "
     networks:
       - orchard-network
+    security_opt:
+      - no-new-privileges:true
+    mem_limit: 128m
+    cpus: 0.25
 
   redis:
     image: containers.global.bsf.tools/redis:7-alpine
@@ -105,6 +127,10 @@ services:
     networks:
       - orchard-network
     restart: unless-stopped
+    security_opt:
+      - no-new-privileges:true
+    mem_limit: 256m
+    cpus: 0.25
 
 volumes:
   postgres-data: